Full Report
The Belarus-aligned threat group known as Ghostwriter has been attributed to a fresh set of attacks targeting governmental organizations in Ukraine. Active since at least 2016, Ghostwriter has been linked to both cyber espionage and influence operations targeting neighboring countries, particularly Ukraine. It's also tracked under the monikers FrostyNeighbor, PUSHCHA, Storm-0257, TA445, UAC‑0057
Analysis Summary
# Threat Actor: Ghostwriter
## Attribution & Identity
* **Identification:** Ghostwriter is a Belarus-aligned threat group active since at least 2016.
* **Aliases:** FrostyNeighbor, PUSHCHA, Storm-0257, TA445, UAC-0057, Umbral Bison (formerly RepeatingUmbra), UNC1151, and White Lynx.
* **Known Associations:** The group is closely aligned with Belarusian interests and has been linked to both cyber espionage and influence operations.
## Activity Summary
The actor has recently (since March 2026) launched a fresh wave of attacks targeting Ukrainian government entities. These operations utilize geofenced PDF phishing lures and a multi-stage infection chain. Historically, the group has demonstrated high operational maturity, evolving from credential harvesting via web vulnerabilities to sophisticated malware delivery using dynamic CAPTCHAs and vulnerability exploitation.
## Tactics, Techniques & Procedures
* **Spear-Phishing:** Delivery of malicious PDFs through email attachments.
* **Geofencing:** Implementation of IP checks to serve benign content to users outside of Ukraine and malicious payloads to targets within the country.
* **Impersonation:** Masquerading as legitimate entities like the Ukrainian telecommunications company Ukrtelecom.
* **Social Engineering:** Use of lure documents, dynamic CAPTCHA checks (observed late 2023), and fake government portals.
* **Exploitation:**
* **CVE-2023-38831:** WinRAR vulnerability used to deploy malware.
* **CVE-2024-42009:** Roundcube cross-site scripting (XSS) vulnerability used for credential theft.
* **Persistence & Fingerprinting:** Periodic transmission of system metadata every 10 minutes to C2 infrastructure for victim assessment.
* **Execution:** Use of RAR archives containing JavaScript payloads to launch downstream malware.
## Targeting
* **Sectors:**
* **Ukraine:** Military, defense sector, and governmental organizations.
* **Poland/Lithuania:** Industrial and manufacturing, healthcare, pharmaceuticals, logistics, and government sectors.
* **Geography:** Primarily Ukraine, Poland, and Lithuania (Eastern Europe).
* **Victims:** Specifically noted targeting of Ukrainian government entities and users of Ukrtelecom services.
## Tools & Infrastructure
* **Malware Families:**
* **PicassoLoader:** A downloader (now seen in a JavaScript version) used as a conduit for other payloads.
* **Cobalt Strike Beacon:** Used for post-exploitation and command and control.
* **njRAT:** Remote access trojan.
* **DarkCasino:** (Referenced in context of evolving toolsets).
* **Infrastructure:**
* **C2:** Attacker-controlled domains and IPs used for host profiling and beaconing.
* **Phishing URLs:** (Example defanged format: hxxps[://]thehackernews[.]com/p/submit-news[.]html)
* **Host Fingerprinting:** Automated scripts sending data to C2 every 10 minutes.
## Implications
Ghostwriter represents a persistent, adaptive, and operationally mature threat to Eastern European security. Their shift toward geofenced delivery and manual "selection" of victims from fingerprinted hosts indicates a highly targeted approach designed to evade sandbox analysis and automated detection. The group's ability to pivot between influence operations (disinformation) and pure espionage makes them a critical threat to governmental stability and military intelligence.
## Mitigations
* **Geofencing Awareness:** Organizations should be aware that presence within specific geographic regions may trigger different levels of threat activity.
* **Patch Management:** Immediate patching of known exploited vulnerabilities, specifically WinRAR (CVE-2023-38831) and Roundcube (CVE-2024-42009).
* **PDF/Archive Security:** Implement strict controls on incoming PDF and RAR files, including the disabling of JavaScript execution within PDF readers.
* **Email Security:** Deploy advanced phishing protection that can detect and block geofenced or CAPTCHA-protected URLs.
* **Endpoint Monitoring:** Monitor for suspicious JavaScript execution (e.g., `wscript.exe` or `cscript.exe` launching from temporary directories) and unusual outbound traffic to unknown C2 IPs every 10 minutes.